Save 37% off PRO during our Black Friday Sale! »

Droot Internals

A658ec7f1badf73819dfa501165016c1?s=47 Yuuki Tsubouchi (yuuk1)
April 23, 2016
Technology
3
18k

Droot Internals

id:y_uuki
第9回 コンテナ型仮想化の情報交換会@福岡

A658ec7f1badf73819dfa501165016c1?s=128

Yuuki Tsubouchi (yuuk1)

April 23, 2016
Tweet

More Decks by Yuuki Tsubouchi (yuuk1)

See All by Yuuki Tsubouchi (yuuk1)
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
0
130
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
1
130
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
1
250
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
4
910
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
4
2.2k
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
1
1.3k
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
0
92
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
1
1.7k
A658ec7f1badf73819dfa501165016c1?s=48 yuukit
1
1.1k

Other Decks in Technology

See All in Technology
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
0
100
8d80af14296180866264212adbfb587e?s=48 godan
0
160
91f6ef52b846ca5f00325b05f3e3547d?s=48 cola119
3
820
75c5db1b2af8fa15a273f6ef7fa08467?s=48 juweon
0
2k
50bc42471d197d0dbef7171f2ef85bb6?s=48 comucal
PRO
0
450
140494d272a4d89883a94fdfdb29dea2?s=48 oracle4engineer
PRO
5
520
5d9cd19df0e91caac118b793b4f803d5?s=48 takefumiyoshii
7
3.7k
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
0
1k
A857277d74d4719f7f7751dca5ed553e?s=48 cmusudakeisuke
0
610
32fe1b1b174c69d06b455799ed1fb285?s=48 goyoki
0
120
D907136acebc72f1df878541b26f271a?s=48 pichuang
0
630
88b514e6413838c0d0cfb3257cefd19d?s=48 kamata_shingo
3
650

Featured

See All Featured
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
120
11k
7cbd3f5f922d798cc312eaf596de7ae6?s=48 iamctodd
33
3.1k
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
55
3.5k
95d9f37115fbb0d13135d0f77132f856?s=48 morganepeng
32
2.6k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
272
32k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
152
6.9k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
208
20k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
324
54k
Aff5641764408271f7bc398f2097edd0?s=48 denniskardys
223
120k
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
307
33k
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
100
5.8k
D47656e20ff5e42f125fc5ea0fd636c6?s=48 tmm1
64
10k

Transcript

  1. %SPPU*OUFSOBMT JEZ@VVLJ ୈ̕ճίϯςφܕԾ૝Խͷ৘ใަ׵ձ!෱Ԭ

  2. id:y_uuki @y_uuk1 ͸ͯͳ!ژ౎ ΢ΣϒΦϖϨʔγϣϯΤϯδχΞ

  3. IUUQZVVLJIBUFOBCMPHDPNFOUSZESPPU

  4. TL;DR • ιϑτ΢ΣΞґଘ஍ࠈͷղܾͷͨΊʹ DockerΛ࢖͍͍ͨ • ຊ൪؀ڥͰDockerΛӡ༻͢Δͷ͸ͭΒ͍ • ʮBuild, Ship, Runʯͱ͍͏ίϯηϓτ͸޷͖

    • DockerΠϝʔδΛS3Λܦ༝ͯ͠഑෍͠ɺ chrootͰ࣮ߦ͢Δख๏ͷఏҊ

  5. Ծ૝Խٕज़ )8Ծ૝Խ 04Ծ૝Խ ,7. 9FO ʜ γεςϜίϯςφ -9$ ΞϓϦέʔγϣϯ ίϯςφ

    %PDLFS

  6. ͳͥ(๻͸)DockerΛ࢖͏ͷ͔ • ✘ VMΑΓߴ଎ • ✘ Πϛϡʔλϒϧ • ✘ Φʔτεέʔϧ

    • ˚ ϙʔλϏϦςΟ • ◦ ϓϩάϥϚϒϧͳϗετ؀ڥ • ◦ ιϑτ΢ΣΞґଘ஍ࠈͷղܾ

  7. ιϑτ΢ΣΞґଘ஍ࠈ • ͋Διϑτ΢ΣΞ͸͍͍ͨͯෳ਺ͷιϑτ ΢ΣΞʹґଘ͢Δ • ґଘઌͷιϑτ΢ΣΞ΋·ͨෳ਺ͷιϑτ ΢ΣΞʹґଘ͢Δ • ಉ͡؀ڥΛ࠶ݱ͢Δͷ͕೉͍͠ •

    BundlerͳͲΛ࢖ͬͯ΋CͷϥΠϒϥϦʹ ґଘ͢Δ͜ͱ΋

  8. Docker • LinuxͷσΟετϦϏϡʔγϣϯ؀ڥ ͝ͱݻΊͯΠϝʔδԽ • /lib, /usr/bin, /etcͳͲͥΜͿ • Linux

    NamespacesͰಠཱͨ͠؀ڥΛ ࡞ͬͯΠϝʔδΛల։

  9. DockerࠔΔ͜ͱ • Docker Engineͷෆ҆ఆ͞ • ωοτϫʔΫ·ΘΓͷύϑΥʔϚϯεྼԽ • ίϯςφͷΰϛ૟আ • ίϯςφͷແఀࢭσϓϩΠ

    • ίϯςφͷϩά؅ཧ • ίϯςφͷ؂ࢹ • ίϯςφͷσόοά • Docker Registryͷӡ༻

  10. chroot

  11. chroot ☓ Docker ͷΞΠσΞ EPDLFSQVMMNZTRM $0/5"*/&3@*% EPDLFSDSFBUFNZTRM  EPDLFSFYQPSU$0/5"*/&3@*%PNZTRMUBS NZTRMUBSΛ.Z42-Λಈ͔͍ͨ͠ϗετ΁ίϐʔ

    ͢Δɻ UBSYG[WBSDPOUBJOFSTNZTRMNZTRMUBS TVEPDISPPUWBSDPOUBJOFSTNZTRMNZTRME
  12. None

  13. ࠷ۙͷΞϓϦέʔγϣϯσϓϩΠ • git pull͕஗͍ • σϓϩΠαʔό͔Βͷrsync΋஗͍ • tarball σϓϩΠ •

    ੒Ռ෺ΛS3ͳͲʹ഑ஔ͠ɺσϓϩΠઌͰ s3 cp Ͱμ΢ϯϩʔυͯ͠ల։ • Serf/Consul • σϓϩΠαʔό͔ΒͷSSH͕஗͍ͨΊ

  14. Droot

  15. #VJME 4IJQ 3VO ESPPUSVO EPDLFSCVJME ESPPUFYQPSU EPDLFS EBFNPO 4UPSBHF 4

    ESPPUEFQMPZ BXTTDQ BXTTDQ

  16. %PDLFS %SPPU #VJME EPDLFSCVJME EPDLFSCVJME 3FHJTUSZ %PDLFS)VC %JTUSJCVUJPO ͳΜͰ΋Α͍
 "NB[PO4

    'JMF'PSNBU %PDLFSJNBHF ͳΜͰ΋Α͍ FYUBSH[ $POUBJOFS -JOVY /BNFTQBDFT DISPPU

  17. $ droot export • DockerΠϝʔδͷϑΝΠϧγεςϜΛtarܗࣜͰग़ྗ • جຊ͸ docker create &&

    docker export • gzip / aws cli ͱͷύΠϓʹΑΓɺtar.gzԽͯ͠S3ʹ഑ஔ • ϑΝΠϧγεςϜʹdrootઐ༻ͷ؀ڥม਺ϑΝΠϧ (/.drootenv) Λ࢓ࠐΉ ESPPUFYQPSUEPDLFSpMFTBQQcH[JQDR cBXTTDQTCVDLFUBQQUBSH[

  18. $ droot deploy • ඪ४ೖྗ͔ΒtarΞʔΧΠϒΛಡΈࠐΈɺࢦఆ͠ ͨσΟϨΫτϦʹల։ • සൟʹߋ৽͞ΕΔίϯςφͷσϓϩΠΛ૝ఆ • rsync

    mode ͱ symlink mode BXTTDQTCVDLFUBQQUBSH[c HVO[JQDRcESPPUEFQMPZSPPUWBSDPOUBJOFST

  19. symlink ʹΑΔ atomic deploy • σϓϩΠࡁΈͷίϯςφ؀ ڥΛࠩ͠ସ͑Δඞཁ͕͋Δ • https://gist.github.com/ datagrok/3807742#file-

    symlink-replacement-md • symlink Λ rename(2)ɹ (mv -T) Ͱ੾Γସ͑Δ͜ͱ ʹΑΓΞτϛοΫʹσΟϨ ΫτϦΛࠩ͠ସ͑Δ  ᵓᴷᴷBQQBQQENBJO ᵓᴷᴷBQQE ᵋᴷᴷNBJO ᵋᴷᴷCJO ᵋᴷᴷCPPU ᵋᴷᴷEFW  ᵋᴷᴷCBDLVQ ᵋᴷᴷCJO ᵋᴷᴷCPPU ᵋᴷᴷEFW 

  20. $ droot run • ࢦఆͨ͠σΟϨΫτϦΛchroot jailͱ࣮ͯ͠ߦ • σόΠεϑΝΠϧͷ࡞੒ (/dev/null, /dev/zeroͳͲ)

    • ϗετͷ /etc/group, /etc/resolve.confͳͲΛίϐʔ • bind mountͰϗετଆͷ೚ҙͷσΟϨΫτϦΛϚ΢ϯτ • Linux capabilities(7) ͰݖݶΛ཈੍ TVEPESPPUSVODQCJOEWBSMPHSPPU ɹɹWBSDPOUBJOFSTBQQDPNNBOE

  21. chroot(2) • ϓϩηεͷϧʔτσΟϨΫτϦΛมߋ • ϓϩηεͷઈରύεͷ୳ࡧى఺ͷมߋͷΈ • ϓϩηεΛੜ੒ͨ͠Γ͠ͳ͍ • ΧϨϯτσΟϨΫτϦ͸ͦͷ··ͳͷͰcrhootίʔ ϧޙʹchdir(“/“)͢Δ͜ͱ͕ଟ͍

    • jail؀ڥ֎ͷϑΝΠϧ΁షΒΕͨγϯϘϦοΫϦϯ Ϋ΁͸ΞΫηεͰ͖ͳ͍

  22. BindϚ΢ϯτ • Linux 2.2͔Βಋೖ • σΟϨΫτϦ΍ϑΝΠϧΛଞͷҐஔ΁Ϛ΢ϯτ • chroot jail؀ڥ಺͔ΒϚ΢ϯτઌͷϑΝΠϧ΍σΟϨ ΫτϦ΁ΞΫηεͰ͖Δ

    • /var/containers/app/var/log ͱ͔ࢀর͢Δͷ໘౗ • mount -o bind /var/log /var/containers/app/var/log • ϗετͷ /var/log Λڞ༗

  23. LinuxέʔύϏϦςΟ • chroot(2)͸ಛݖϓϩηεͰͳ͍ͱίʔϧͰ͖ͳ͍ • (ݫີʹ͸CAP_SYS_CHROOT) • ͔͠͠ɺεʔύʔϢʔβͰಈ͔͢ͷ͸ෆ҆ • εʔύʔϢʔβͰಈ͔ͭͭ͠ɺcapabilities(7)Ͱඞཁͳ ݖݶҎ֎Λམͱ͓ͯ͘͠

    • CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_SETGID, CAP_SETUID, CAP_NET_BIND_SERVICE ΛڐՄ

  24. Problems

  25. • Docker (NamespacesΛ࢖ͬͨίϯςφ)΄Ͳͷɹ ϙʔλϏϦςΟ͸ͳ͍ • Dockerίϯςφͷ؀ڥม਺͕Ҿ͖ܧ͕Εͳ͍ • Dockerίϯςφ্ͷ user/group ͕σϓϩΠઌ

    ϗετʹ͍ͳ͍ ϙʔλϏϦςΟͷ໰୊

  26. • ؀ڥม਺͸ϑΝΠϧͱͯ͠ӬଓԽ͞Εͳ͍ͷͰɺ Ұ୴ϑΝΠϧʹอଘ • droot export ͰҰ୴Dockerίϯςφͱͯ͠ىಈ͞ ͔ͤͯΒ env ίϚϯυͷ࣮ߦ݁ՌΛ

    /.drootenv ͱ ͯ͠อଘ • droot run Ͱ /.drootnenv ΛಡΈͩͯ͠؀ڥม਺Λ ෮ݩ • droot run —env Ͱ؀ڥม਺ͷ௥Ճɾ্ॻ͖Մೳ ؀ڥม਺ͷҾ͖ܧ͗

  27. • User Namespaces಺Ͱ/etc/groupͳͲΛΈͯඞཁ ͳuser/grpupΛࣗಈ࡞੒ • ϓϩηεπϦʔߏ଄Λ͔͑ͨ͘ͳ͍ͷͰɺclone(2) Ͱ͸ͳ͘ chroot(2) ޙʹ unshare(2)

    ͢Δ • clone(2) ͩͱࢠϓϩηεΛੜ੒͢ΔͨΊɺεʔ ύʔόΠβϓϩηεͷ഑ԼͰdroot runͨ͠ͱ͖ ʹɺγάφϧ؅ཧ͕͏·͍͔͘ͳ͍͔΋ user/groupͷࣗಈ࡞੒(ະ࣮૷)

  28. • ͜Ε͸͓ͦΒ͘ PID Namespacesͷ࿩ • https://lwn.net/Articles/532748/ • Namespaces௚Լͷϓϩηε͕pid 1ͱͯ͠ৼΔ෣͏ඞཁ͕Ͱ ͯ͘Δ

    • orphanϓϩηεͷճऩ͢Δඞཁ͕͋Δ

  29. ίϯςφ͸ ࣗ෼Ͱ࡞ΕΔ

  30. (PMBOH

  31. • github.com/docker/docker/pkg • archive, devicemapper, fileutils, mount, symlink… • github.com/opencontainers/runc/libcontainer

    • Linux Namespaces·ΘΓ • https://github.com/syndtr/gocapability • LinuxέʔύϏϦςΟ • github.com/docker/engine-api • Docker APIΫϥΠΞϯτ ίϯςφπʔϧ޲͚ύοέʔδ

  32. • ࣗ࡞ͷίϯςφπʔϧ Drootͷഎܠͱ࣮૷ • Build, Ship, RunΛ࣮ݱ͢Δୈ̏ͷιϑτ΢ΣΞ • droot export,

    droot deploy, droot run • DockerͰΠϝʔδΛ࡞ͬͯ chroot Ͱ࣮ߦ • ϙʔλϏϦςΟͷ໰୊ͱͦͷղܾ • ίϯςφ͸ࣗ෼Ͱ࡞ΕΔ ·ͱΊ

  33. github.com/yuuki/droot